--- Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx>
wrote:
>
> 1) gpg and losetup communicate using pipes. losetup
> sends passphrase to gpg
> using a pipe. gpg sends decrypted key material to
> losetup using a pipe.
> Last time I looked at mainline pipe code
> implementation, it did not
> sanitize kernel RAM buffers that were used to
> temporarily hold pipe data.
> For me personally this has not been a problem
> because I run kernels that
> sanitize pipe buffers on last close of a pipe.
>
> 2) When hashing key material, sha512.c functions
> sha256_transform() and
> sha512_transform() do not explicitly sanitize
> stack variables that may
> contain data derived from last (65th) IV key
> material. In practice,
> sensitive stack parts get overwritten by later
> stack usage of
> losetup/mount programs.
>
> Other parts of losetup (and mount) always properly
> sanitize key material,
> excluding 'kill -9' type events.
>
Catching up on Jari's post - apologies, yahoo mail is
not so good for reading this list since it
unpredictably treats some posts as spam and dumps them
in the bulk folder.
Questions:
1. Which kernels sanitize pipe buffers in the way Jari
is saying?
2. I was under the impression SIGKILL couldn't be
trapped or ignored in C. How then does loop-aes catch
a kill -9 and sanitize keys in memory before exiting?
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
